New variant of the police scareware virus emerges

Luis Corrons, technical director at PandaLabs, has today described a new version of the increasingly common police virus. The police virus is malware that pretends to come from the local national law enforcement agency. Typically it displays a screen, warning the user that ‘illegal activity’ has been traced to this computer – and demanding payment of a legal fine. The intent is simply to frighten the user into paying the money; and hence the term ‘scareware’.

The next evolution of this malware variant was to become ‘ransomware’. Just as national law enforcement agencies have started to ‘take over’ illegal websites, so this new ransomware ‘takes over’ the infected computer by encrypting some of its content – forcing the user to pay the fine or lose access. “The first versions of this new police virus,” writes Corrons, “were only encrypting .doc files, and the encryption was not really hard, so it was possible to decrypt them without having the key.” Now a more sophisticated encryption is being used. “Not only that, but the key is different for every computer that has been infected, so unless anyone has access to the server where the keys are stored there is no way to recover those files.” And the range of files being encrypted is more sophisticated. Some variants use a blacklist of extensions to encrypt; others use a whitelist of critical systems files not to encrypt.

Now PandaLabs has detected yet another variant. This variant doesn’t currently encrypt any files. Instead it takes over the user’s webcam and inserts a picture taken via that web cam. It could be of the user, or just his or her empty chair; but either way it will be immediately recognizable by the user. The implication now is that law enforcement knows what the computer has been doing; and also knows what the user has been doing. Corrons’ blog has a screen shot of the virus. “As you can see,” he writes, “there is a frame where the stream of the webcam is shown, and a caption that says [in Spanish in this instance] ‘Video recording’.” It isn’t recording, nor sending a video anywhere; it’s just showing an image taken by the web cam. “But of course the user doesn't know this, and most of them will be really scared and will pay asap to get rid of this.”

Corrons notes that encryption isn’t used. “They must have thought that the webcam use is scary enough,” he writes. But if this variant follows normal evolution, we can perhaps expect to see streaming video protected by encryption that the user cannot stop.

What’s Hot on Infosecurity Magazine?